XML Entity Injection

csharp.xml_entity_injection

Severity

critical

Resource

Injection

Language

CSharp

Description

Improper Neutralization of XML entities ('Xml Entity Injection')

The XML Entity Injection (XXE) vulnerability exploits the Document Type Definition (DTD) feature of XML parsers. External entities define a way to include content from an external source or file into an XML document. When a parser processes these entities, it can result in unintended exposure of files or services being queried.

Rationale

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Even remote command execution is possible in the worst case!

Some examples of attack payloads follow:

<!--
  denial-of-service if the XML processor does not limit
  the size of content from external entities
-->
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM  "file:///dev/random" >]>
<foo>&xxe;</foo>

<!-- exfiltrate sensitive files -->
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

Example in C# Code

Consider an XML parser implementation in C# where an XML file is processed without secure configuration:

using System.Xml;

// ...
// VULNERABLE to XXE
var settings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Parse, // enables DTD processing
    XmlResolver = new XmlUrlResolver() // enables external entity resolution
};

using XmlReader reader = XmlReader.Create(untrustedInputStream, settings);
while(await reader.ReadAsync())
{
  // ...
}

An attacker could craft an XML document like:

<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

When processed, this can lead to the exposure of sensitive files (e.g., the contents of /etc/passwd).

Remediation

To remediate XML Entity Injection vulnerabilities, follow these best practices:

Disable External Entities: Configure your XML parsers to disable external entity processing. This is crucial in preventing any external entity exploitation.

Ensure that attempts to use external entities or DTDs will fail by setting the appropriate features in the parser factory configuration.
Validate Input: If your application must use DTD or external entities for legitimate purposes, implement strict validation and sanitization. Validate the input to ensure only expected XML structures are processed.
Use a Secure Parser: Consider using high-level XML libraries or APIs that handle parsing securely by default, and always keep them updated to take advantage of security improvements.

Implementing these strategies will adequately safeguard the application from XML Entity Injection attacks.

In the previous vulnerable code, a safe configuration for DocumentBuilder factory to avoid external entities is shown:

using System.Xml;

// ...
// FIXED
var settings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Prohibit, // DTD processing disabled
    XmlResolver = null // no external entity resolution
};

using XmlReader reader = XmlReader.Create(untrustedInputStream, settings);
while(await reader.ReadAsync())
{
  // ...
}

In recent versions of .NET, the default settings are safe against XXE for APIs such as XmlReader.Create(input), following the 'safe by default' principle. Read more in default settings for XmlReader.

If you need a specific configuration, try to avoid dangerous settings allowing DTD declarations in untrusted XML inputs, or external entities expansion.

Avoid XmlTextReader and other legacy APIs, which are not safe against XXE by default. Always set XmlResolver = null, even of DTD processing is disabled, for defense in depth. Note also that using XmlDocument.Load() / XDocument.Load() without a properly configured XmlReader is also unsafe.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-611 : Improper Restriction of XML External Entity Reference.
CWE-776 : Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion').
XML External Entity Attacks.
XML External Entity Prevention Cheat Sheet, in OWASP Cheat Sheet Series.